Salesforce Postman OAUTH2 authentication flow

Test OAuth 2.0 Authorization Flows with Postman


Use Case: You have created an API user and a Connected App and you want to validate the connectivity before sending the credentials to the tierce application


Before diving into the details, let’s recap and remind the basics around integrations.
Integrating your Salesforce application to an external application is always an additional risk for the security and the integrity of your data.
You should strive to mitigate these risks along the implementation of the integration.

Starting with the way you will set up the API user. Have a look on the following guidance on how to set up your integration user in a secure and scalable manner.

Your Connected App should be set up to support OAuth Settings. You can simply follow the official Salesforce article in order to understand the steps to follow. On top of these steps, I strongly recommend that you define secured policies for your Connected App. Limit the authorized users who can access your Connected App by restricting either at the profile level, either at the permission set level for instance.

Let’s build that and test the connectivity using Postman.


Create your API User and your Connected App


Here is the result of a basic setup of the Connected App with OAuth 2.0.

salesforce configuration of a connected app


Test with Postman the OAuth 2.0 Username-Password Authentication Flow


Salesforce supports different Oauth Authorization Flows depending on your use case. You can find the full list here with associated use cases.

In this article we will be testing the Username-Password Flow. You can test any other flow using the same approach, and adjusting the expected parameters. You can also test the connectivity using another tool such as Chrome Advanced REST client or any other REST client.

Collect User and Connected App informations

Collect the following information to be able to test the authentication:

ActionParameter KeyParameter Value
API User Usernameusernamejohn.smith@salesforce4ever.com
API User Password + API User Security TokenpasswordSALESFORCE4EVERCec3eMYTdZBzf656ZTMRzyOO
ConnectedApp Client IDclient_id3MVG9SOw8KERNN0.4kGQNIb0Gfruis0VbHVgC.9oK7xszCmmKbskga7Eekflhz3Xz4QIDQh_9Dn1BMJUcjCrp
ConnectedApp Client Secretclient_secretCDB8E7E96CF700DAA6B9F8ED833A1D9DB4599CB1EE454529988B6293A1048AB3
Constant Grant Typegrant_typepassword

Concatenate your User Security Token with your Password. Whenever possible activate IP Filtering at the profile level. This way you don’t have to generate and use a Security Token.

Create a new basic Request in Postman and set the parameters

Launch Postman and first create a basic Request in Postman, and define the folder where you want to save it.

In order to test the authentication flow, we will request a token to Salesforce. This token will then be usable in all subsequent calls to access or manipulate the data. For OAuth 2.0 flows, the endpoint to request a token is https://login.salesforce.com/services/oauth2/token (for Production org or Developer org) or https://test.salesforce.com/services/oauth2/token (for sandboxes) and your HTTP Request must be a POST.

Don’t change login.salesforce.com or test.salesforce.com with your Domain name!

Follow the below steps:

  • Change the Request type from GET to POST
  • Paste one of the endpoint below, matching the type of Org you are testing the connectivity on
    • https://login.salesforce.com/services/oauth2/token
    • https://test.salesforce.com/services/oauth2/token
  • In the Params tab below, enter in the Key column the 5 Parameter Keys (see table above)
  • Associated to each key, enter your own values

You should have something looking like this:

postman connected app key parameter values

Execute the REST call

Click on the Send button next to the endpoint.

If the connectivity is working fine, you will get an access_token as well as other informations such as the instance_url which is nothing more than your Domain name.

postman successful oauth2 authorization

You can provide all these informations to the tierce application so that they can authenticate to your Org!

Going further…

Once authorized, you can test and validate the permissions at the record level or even field level, thereby testing the permissions the API user has.

In order to do so, let’s create another Get Request in Postman and follow the instructions below. We will execute a simple SOQL Query through a REST call.

In the Request URL field, enter the endpoint

ActionEndpoint Value
Concatenate the instance_url value from the previous authentication call with the service your want to call (here to run a SOQL query)https://resourceful-hawk-hwli5q-dev-ed.my.salesforce.com/services/data/v50.0/query/

In the Params tab

ActionParameter KeyParameter Value
Enter your SOQL QueryqSELECT ID FROM ACCOUNT

In the Headers tab

ActionParameter KeyParameter Value
Enter the token_type with the access_token value from the previous authentication call, with a space between.AuthorizationBearer 00D09000002VhIj!ARUAQKVSARnQSgoQFVtPO9RxsMLD1jUiLVDhyOSbzYJsCF4j5WjZgNdQX3d.23XpH4h74Vctc1tq6k9Wsh29OGX5nGl0EuKu

Click Send and you should get the folllowing type of result.

postman soql query successful

Here it is!

You know all the basics to adapt to your own situation, and test before sharing with the external application team.


Have you found this interesting? Please share!


4 thoughts on “Test OAuth 2.0 Authorization Flows with Postman”

  1. Pingback: Connect two Salesforce Orgs using OAuth2 authentication

  2. Pingback: Listen to your Salesforce Platform Event using Python

    1. Salesforce 4Ever

      Hi Fabian, thanks for your feedback. Yes I’ll publish the same tuto for JWT flow over the month. Stay tuned!

Leave a Comment

Your email address will not be published. Required fields are marked *